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12 April 2018 


The Chief Executive 
All Authorized Institutions 


Dear Sir/Madam, 


Feedback from Recent Thematic Review of Als’ Sanctions Screening 
Systems 


I am writing to share key observations and good practices that have been 
identified in the recent thematic review of the financial sanctions screening 
systems of Authorized Institutions (Als). The adequacy of Als’ sanctions 
screening systems and controls is a supervisory priority for the Hong Kong 
Monetary Authority (HKMA), especially in the light of recent geopolitical 
developments, and this review is part of a series of initiatives to strengthen the 
collective ability of Als to meet their sanctions obligations’. 


Our review revealed that while the sanctions screening systems as examined are 
in general performing within industry benchmarks, there are some issues and 
good practices in relation to the effectiveness and efficiency of the systems, 
which warrant further attention by Als. Details of our overall findings, 
including examples of good practices and areas for improvement, are set out in 
the Annex. Where weaknesses were identified, the Als concerned have been 
required to undertake remedial actions. 


To understand and optimize the performance of screening systems and 
processes, Als are expected to (i) give consideration to adopting the good 
practices, where appropriate, and a gap analysis should be performed at a 
minimum; and (ii) to put in place, if not already, regular sanctions screening 


1 Including the HKMA’s circulars on 31 January 2018 (Anti-Money Laundering / Counter-Terrorist 
Financing: United Nations Sanctions) and 8 March 2018 (FATF Guidance on Counter Proliferation 
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system testing that provides robust reporting and quality assurance? to senior 
management that the regulatory expectations set out in the Annex are being met. 
The HKMA will collect information from all Als in the third quarter of 2018 on 
individual action plans and consider conducting further reviews on relevant data 
and results on Als in due course following a risk-based approach. 


To further communicate our regulatory expectations, the HKMA will host a 
seminar on 23 April 2018 in which key observations and practices from this 
review will also be discussed and to which Als are encouraged to attend. 

If you have any questions on this circular, please contact Ms Joyce Chan at 


2878-8281 or Ms Queenie Chan at 2878-1514. 


Yours faithfully, 


Carmen Chu 
Executive Director (Enforcement and AML) 


Encl. 


* This should be conducted by a party having subject matter expertise. While some Als may have 
dedicated teams, others may need to seek external input depending on individual circumstances. 


Annex 


Feedback from Thematic Reviews of Als’ Sanctions Screening Systems 


Als should take adequate measures, which include effective sanctions screening 
systems which are appropriate to the nature and size of businesses, to meet their 
obligations under Hong Kong’s financial sanctions regime. These obligations, 
together with other relevant considerations, are set out in Chapter 6 of the Guideline 
on Anti-Money Laundering and Counter-Terrorist Financing (For AlIs)' (AML 
Guideline). It is the HKMA’s regulatory requirement on Als that sanctions screening 
should be conducted for new customers and payments as well as for existing 


customers whenever new designations are published’. 


This note provides feedback from thematic reviews conducted over the past few 
months and aims to provide further guidance to Als in implementing effective, 
risk-based screening systems. To provide greater clarity, specific regulatory 
expectations are included in text boxes and may be used by Als as self-assessment 
questions. Key observations are provided together with some examples of good 
practices for reference, while Als should note that these are not meant to be an 


exhaustive list for meeting regulatory expectations. 


Given the focus of the thematic review exercise, this note does not cover other aspects 
of effective sanctions risk management, for example, the quality of data input (for 
completeness and accuracy) or the quality of the data output (how matches are being 
investigated and escalation handled). AIs should make further reference to the AML 
Guideline and the HKMA Guidance Paper “Transaction Screening, Transaction 
Monitoring and Suspicious Transaction Reporting’ issued in December 2013, 


adopting a risk-based approach in implementation. 


' Chapter 6 ‘Financial Sanctions and Terrorist Financing’ 
? Paragraph 6.22 AML Guideline 
1 


1.1 


1.2 


1.3 





Als’ senior management should consider the risk of sanctions breaches and 
determine the appropriate level of sanctions screening to manage the risk 
for the AI 





Als should be able to demonstrate a proven methodology for determining 
system settings and performance, and which is consistent with compliance 
policies and risk appetite. This includes a thorough understanding of the risks, 
the types of customer the AI has and the geographic regions the customers are 
operating in. Most Als as examined in the thematic review were able to 
articulate their respective choices of system configuration and settings to 
varying degrees and some in great detail, while a few Als demonstrated 
over-reliance on the vendor and were only able to provide a more simplistic 
response, without being able to provide clear reasons why specific settings had 


been adopted. 


Where a group-wide policy is in place, Als must understand and be able to 
justify, in line with compliance policies and risk appetite, any variations in 
system settings or configuration adopted locally which impacts performance of 
the system. This applies to the lists and data which are entered into systems 
and against which screening is conducted and also the algorithms / rules utilised 
(referred to as “system filters’). Some variations were observed in the 
thematic review while a few Als were unable to adequately demonstrate how 
any deviation from the group-wide policy would affect the effectiveness and 
efficiency of its screening system, such as accuracy and number of alerts 


generated. 


While not included in the review, as additional guidance, Management 
Information (MI) should provide senior management with adequate information 
to understand the financial crime risks to which the AI may be exposed. In the 
context of sanctions risk management, this may include an overview of the 
sanctions risks to which the AI is exposed, the effectiveness of certain aspects of 
system performance, such as screening and relevant information regarding 


volume of alerts, details of false positives, genuine sanctions hits, etc. 


2.1 


3.1 


3.2 


3.3 





New systems, or upgrades to existing systems need to be thoroughly tested 
and tuned prior to deployment, with sufficient levels of reporting and 


oversight 





A few Als were not able to demonstrate that adequate testing had taken place 
before system deployment. Asa good practice, Als should take steps to satisfy 
themselves the system is appropriate and operating as expected before relying 
on automated screening systems. If an AI is upgrading an existing screening 
system, testing should be conducted prior to deployment to check that all system 
filters work properly and that the new system is an improvement over the old 


one. Als should document that testing and analysis have been duly conducted. 








Ongoing monitoring, tuning and testing should be conducted on all aspects 
of sanctions screening systems, lists and processes on a regular and frequent 


basis 





Als are expected to have an adequate understanding of their obligations under 
the sanctions regime in Hong Kong and, as applicable, in other jurisdictions in 
relation to Al’s international operations. Generally, most of the Als examined 


in the thematic review had an adequate understanding of the above obligations. 


Most Als carried out quality assurance work on the effectiveness of their 
sanctions systems, although frequency and intensity varied. Many Als had 
systems validated by external vendors and where this was the case, there was 
generally a better understanding of system / filter performance and the various 
factors underpinning such performance. Most Als in the review exercise 
expressed that system effectiveness was one of the more challenging areas to 
test, since it required dummy data to validate the end result. It should be noted 
that regardless of how testing is performed, the testing process should be 


independent and provide the level of validation required. 


With regards to frequency of testing, running a test once a year or every few 
years will not provide sufficient ongoing comfort that best efforts are being 
made to meet obligations. Testing must be performed frequently to maintain a 
system which is both effective and efficient, ensuring that latest sanctions list 


changes are tested and that system filters are operating within expectations”. 


3 The database of Als’ designated parties should be updated in a timely manner in accordance with 


Chapter 6 of the AML Guideline. 


3 





4.1 


4.2 


4.3 


4.4 


As revealed in the thematic review, a few AIs which did not carry out frequent 
testing and tuning internally were unable to demonstrate an adequate 
understanding of system filter performance and had not collated the necessary 


information and data to make correct decisions with regards to system settings. 








Als are expected to have a clear and demonstrable understanding of the 
system filters utilised in their screening technology, and to employ / equip 
staff with the right skills and knowledge to support the deployment of 


effective sanctions screening systems 





Many Als as examined in the review had developed appropriate internal training 
programmes for staff in key roles. During the post-test interviews, these Als 
with training programmes and relevant subject matter expertise demonstrated a 
more thorough understanding of system filter performance. It was apparent in a 
few other interviews, however, that staff had not been provided with the right 


skills to support effective system deployment. 


Most Als in the review exercise were able to clearly describe specific decisions 
around the lists their system operated and the filters employed. Explanations for 
each setting within the system should be properly documented. The review also 
revealed a few Als that had limited knowledge of system filter performance or 


whether certain sanctions lists were in scope of the screening system or not. 


There should also be clarity around ownership and accountability of the risk and 
which functions, compliance or information technology units, should contribute 
to managing that risk, for example, by ensuring that sanctions lists are kept up to 
date. 


Suppression (or good guy/false hit) lists should be subject to particularly robust 
oversight. The reason for the inclusion of each entry should be documented 
properly, and these lists should be subject to regular maintenance and reviews. 
Appropriate approval should also be sought with respect to these regular reviews, 


as well as prior to the inclusion of any entry into these lists. 





Did 





Als are expected to conduct ongoing tuning of system filters to reduce the 


level of false positives without compromising effectiveness 





Als should understand their required level of effectiveness based on risk appetite, 
but should at the same time tune the system for greater efficiency where possible. 
Most Als in the review understood the competing relationship between 
effectiveness and efficiency of the system and could evidence this understanding 
through actions such as monitoring levels of false positives. In those Als where 
there was proactive and ongoing fine tuning to achieve greater efficiency, there 
was also a more comprehensive understanding of how the system, and the filters 
employed, operated. Ina few Als we noted high volumes of alerts, and where 
there were great dependency on vendor support and a general lack of awareness 


of the need for system optimization in one or two cases. 


